Analytics Alerts
Browse the Cortex analytics alert reference.
22 alerts match the current filters. tactic: TA0042 ✕
Show ATT&CK heatmapA new Azure email domain verification was requested Informational Cloud 1 variation
A new Azure email domain verification was requested.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Resource Development (TA0042)ATT&CK techniques: Compromise Accounts: Email Accounts (T1586.002)Required data: Azure Audit LogAttacker's goals: Use an existing domain to launch phishing attacks from your environment.Investigative actions: Check if you recognize the added email domain.Variations
A new Azure email domain verification was requested by an unusual identity
Low overridden
A new Azure email domain verification was requested.The identity was not seen performing operations on this resource type in the last 30 days. overridden
A possible risky login to Azure Informational Identity Analytics 2 variations
A risky sign-in attempt was observed in Azure.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Valid Accounts (T1078)Required data: AzureADAttacker's goals: An attacker is attempting to compromise an Azure account by exploiting weak or guessed passwords for initial access.Investigative actions: Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities. Reach out to the user to confirm the legitimacy of the recent password reset activity. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.Variations
Azure Risky Login with Suspicious Characteristics
Low overridden
A risky sign-in attempt was observed in Azure. overridden
Azure-Defined High-Risk Login Attempt
Low overridden
A risky sign-in attempt was observed in Azure. overridden
A user connected from a new country Informational Identity Analytics 1 variation
A user connected from an unusual country that the user has not connected from before. This may indicate the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 30 Days
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Gain user-account credentials.Investigative actions: Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.Variations
A user connected from a new country - suspicious characteristics detected
Low overridden
The user connected from a country they have not accessed from previously, which may indicate potential account compromise due to unusual or suspicious characteristics. overridden
A user connected to a VPN from a new country Informational Identity Analytics 1 variation
A user connected to a VPN from an unusual country that the user has not connected from before. This may indicate the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 30 Days
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use an account that was possibly compromised to gain access to the network.Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the country is an approved country to connect from. Follow further actions done by the user.Variations
A user connected to a VPN from a suspicious country
Low overridden
A user connected to a VPN service from an unusual country. This may indicate the account was compromised. overridden
A user logged in from an abnormal country or ASN Informational Identity Analytics 1 variation
A user logged in from an unusual country or ASN. This may indicate that the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: XDR AgentAttacker's goals: Gain user-account credentials.Investigative actions: Check if the user is currently located in the aforementioned country. Check for any other suspicious activity related to the account. Check other ASNs and Countries that the user logged in from. Look for additional login attempts.Variations
A service account successfully logged in from a new country or ASN
Low overridden
A service account successfully logged in to an internet facing server from an unusual country or ASN. This may indicate that the account was compromised. overridden
A user rejected an SSO request from an unusual country Low Identity Analytics
A user rejected an SSO authentication request from an abnormal country.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: OktaAttacker's goals: An attacker is attempting to gain access to an account secured with MFA.Investigative actions: Verify the reject cause of the MFA attempts. Check to see if the user has successfully authenticated around the time of the alert, and confirm it's a legitimate login. Verify the authentication attempt from the rare country is benign.An AWS Route 53 domain was transferred to another AWS account Informational Cloud
An AWS Route 53 domain was transferred to another AWS account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Resource Development (TA0042)ATT&CK techniques: Acquire Infrastructure: Domains (T1583.001)Required data: AWS Audit LogAttacker's goals: Gain access to DNS records and abuse them for malicious purposes.Investigative actions: Check if the domain transfer was done by an authorized user.Cloud email sending was enabled Informational Cloud 1 variation
Cloud email sending was enabled for the cloud account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Resource Development (TA0042)ATT&CK techniques: Compromise Accounts: Email Accounts (T1586.002)Required data: AWS Audit LogAttacker's goals: Use the existing account to send phishing or spread malware.Investigative actions: Check if the identity has performed any email-related operations in the past. Check if this account should be used for email sending.Variations
Cloud email sending was enabled by an unusual identity
Low overridden
Cloud email sending was enabled for the cloud account.The identity was not seen performing any operations in SES in the last 30 days. overridden
First VPN access attempt from a country in organization Informational Identity Analytics 1 variation
A user attempted to connect from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use an account that was possibly compromised to gain access to the network.Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the country is an approved country to connect from. Follow further actions done by the user.Variations
First successful VPN access from a country in organization
Low overridden
A user successfully connected from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised. overridden
First connection from a country in organization Informational Identity Analytics 1 variation
A user connected to an SSO service from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Gain user-account credentials.Investigative actions: Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.Variations
First successful SSO connection from a country in organization
Informational overridden
A user successfully connected from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised. overridden
IP Rotation Pattern in SSO Spray Informational Identity Analytics 2 variations
A high volume of SSO authentication attempts was observed in a short time window.This behavior may indicate a password spray attack targeting multiple accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: An attacker may be attempting to compromise user accounts through unauthorized access attempts.Investigative actions: Determine if the activity was performed by a legitimate user. Check for any successful logins that occurred following a series of failed attempts. Investigate the AS organization and evaluate the ASN's reputation for malicious activity. Review historical login behavior from the same IP addresses or ASN. Validate whether MFA was triggered or bypassed during the authentication attempts.Variations
Potential Targeted SSO Password Spray Activity Detected
Medium overridden
A high volume of SSO authentication attempts was observed in a short time window.This behavior may indicate a password spray attack targeting multiple accounts. overridden
Suspicious SSO Login Attempts from Multiple IPs
Low overridden
A high volume of SSO authentication attempts was observed in a short time window.This behavior may indicate a password spray attack targeting multiple accounts. overridden
Impossible traveler - SSO Low Identity Analytics 3 variations
User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 6 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Gain user-account credentials.Investigative actions: Check if the user routed their traffic via a VPN, or shared their credentials with a remote employee.Variations
Impossible traveler - non-interactive SSO authentication
Informational overridden
User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised. overridden
Possible Impossible traveler via SSO
Informational overridden
User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised. overridden
SSO impossible traveler from a VPN or proxy
Informational overridden
User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised. overridden
Impossible traveler - VPN Low Identity Analytics 3 variations
A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 7 Days
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Gain user-account credentials.Investigative actions: Check if the user routed their traffic via a proxy, or shared their credentials with a remote employee.Variations
Possible Impossible traveler via VPN
Informational overridden
A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised. overridden
VPN impossible traveler from a VPN or proxy
Informational overridden
A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised. overridden
VPN impossible traveler with an unusual parameter
Medium overridden
A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised. overridden
Multiple Okta MFA requests sent to a user Informational Identity Analytics 1 variation
Multiple SSO MFA attempts were sent to the user. This may indicate an MFA fatigue attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Multi-Factor Authentication Request Generation (T1621)Required data: OktaAttacker's goals: An attacker is attempting to gain access to an account secured with MFA.Investigative actions: Verify the reasoning behind the MFA request rejections. Follow further actions performed by the user.Variations
Multiple Okta MFA requests sent to a user with unusual characteristics
Low overridden
Multiple SSO MFA attempts were sent to the user. This may indicate an MFA fatigue attack. overridden
OneDrive file upload Informational Cloud
A file was uploaded to OneDrive using Microsoft Graph API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Resource Development (TA0042)ATT&CK techniques: Stage Capabilities (T1608) Stage Capabilities: Upload Malware (T1608.001)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Establish persistence by uploading files to OneDrive, potentially using it as a staging area for further malicious activities.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Possible Impossible Travel Pattern - SSO Informational Identity Analytics 2 variations
A user logged in from several countries in a short period, including at least one location that is rare for the user or organization.This suspicious activity may be a sign of credential theft.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Valid Accounts (T1078)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: An attacker who compromises user credentials will leverage those credentials to gain initial access to the corporate network.To obfuscate their true origin, adversaries commonly route traffic through proxies or VPNs across multiple geographic locations.Investigative actions: Review the source IPs and AS organizations. Check if they are associated with known corporate VPNs, cloud hosting providers, or personal VPN services. Examine recent activity associated with the user in the relevant SSO provider, focusing on suspicious actions such as MFA changes or unusual data access.Variations
Azure First-Seen Device - Impossible Traveler
Low overridden
A user logged in from several countries in a short period, including at least one location that is rare for the user or organization.This suspicious activity may be a sign of credential theft. overridden
Rare Country Login - Impossible Traveler (SSO)
Low overridden
A user logged in from several countries in a short period, including at least one location that is rare for the user or organization.This suspicious activity may be a sign of credential theft. overridden
SES Production Access Requested Informational Cloud 1 variation
An identity requested to move the SES account from a restricted sandbox mode into production mode.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Resource Development (TA0042)ATT&CK techniques: Compromise Accounts: Email Accounts (T1586.002)Required data: AWS Audit LogAttacker's goals: Use the existing account to send phishing or spread malware at scale.Investigative actions: Check if the identity has performed any email-related operations in the past. Check if this account should be used for email sending.Variations
SES Production Access Requested by an unusual identity
Low overridden
An identity requested to move the SES account from a restricted sandbox mode into production mode.The identity was not seen performing any operations in SES in the last 30 days. overridden
SSO Brute Force Informational Identity Analytics 3 variations
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Brute Force (T1110) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: An attacker is attempting to gain access to an account secured with MFA.Investigative actions: Check the legitimacy of this activity and determine whether it is malicious or not. Check if the user usually logs in from this country. Check whether a successful login was made after unsuccessful attempts.Variations
SSO Brute Force on a Honey User Account
Medium overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack. overridden
SSO Brute Force Threat Detected
Medium overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack. overridden
SSO Brute Force Activity Observed
Low overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack. overridden
SSO Password Spray Informational Identity Analytics 3 variations
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.Investigative actions: See whether this was a legitimate action. Check if the user usually logs in from this country. Check whether a successful login was made after unsuccessful attempts.Variations
SSO Password Spray Involving a Honey User
Medium overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack. overridden
SSO Password Spray Threat Detected
Medium overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack. overridden
SSO Password Spray Activity Observed
Low overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack. overridden
Untrusted process contacted LLM API Informational 1 variation
An untrusted process contacted an LLM API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Resource Development (TA0042)ATT&CK techniques: Obtain Capabilities: Artificial Intelligence (T1588.007)Required data: XDR AgentAttacker's goals: Adversaries may use LLM APIs to create malicious payload dynamically. Each payload will be slightly different making detection more complex.Investigative actions: Investigate the process that contacted the LLM API. Check if this LLM API access is legitimate and expected. Analyze the data potentially sent to the LLM service.Variations
Untrusted process contacted a rare LLM API
Low overridden
An untrusted process contacted a rare LLM API. overridden
User attempted to connect from a suspicious country Informational Identity Analytics 1 variation
A user connected from an unusual country. This may indicate the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 30 Days
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Gain user-account credentials.Investigative actions: Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.Variations
User successfully connected from a suspicious country
Low overridden
A user successfully connected from an unusual country. This may indicate the account was compromised. overridden
VPN login Brute-Force attempt Informational Identity Analytics 2 variations
A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Brute Force (T1110) Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: An attacker attempts to gain access to the account.Investigative actions: Verify successful connections by the user account, as these can indicate the attacker managed to guess the credentials. Analyze login patterns for abnormal times, locations, or IPs for suspicious activity. Look for VPN login attempts from countries where the organization does not typically operate. Cross-reference the IP addresses with threat intelligence sources. Follow further actions taken by the account.Variations
Successful VPN Login Brute Force
Low overridden
A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack. overridden
VPN login brute-force attempt with suspicious characteristics
Low overridden
A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack. overridden